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This report is confidential and is intended for use by the management and Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in 
whole or in part, to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying 
on this report does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, atising out of or in connection with the use of this 
report, however such loss or damage is caused. 


It is the responsibility solely of the ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 
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1 Executive Summary 


1.1 Background 

As part of the 2015-16 Internal Audit Plan, we agreed with management 
and the Audit Committee to undertake a review to understand whether the 
ICO has successfully realised the intended benefits of its new finance 
system, Great Plains. 


In 2014 the ICO agreed to replace its accounting system as it was no 
longer supported by the vendor, reliant on dedicated desktop PCs and did 
not provide effective reporting to either the Finance team or budget 
holders. A project to identify and deliver a replacement solution was 
therefore initiated in June 2014 and the core application was implemented 
in February 2015. 


The high level requirements of the project were identified as being: 


e A single integrated finance, purchasing and sales solution; 

e A general ledger; 

e The ability to create and report on departmental budgets; 

e Management of the purchase ledger; 

e Management of the sales ledger; 

e The capability to record and manage project spend; 

e Purchase Order Processing (POP); 

e Sales Order Processing; 

e Management of fixed assets; 

e The application of special depreciation rules used by government 
organisations; 

e End user query and analysis of financial data; 
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e End user budget reporting and report distribution; 
e End user management, ad-hoc and performance reporting; 
e Integration with ICE (Dynamics CRM). 


1.2 Scope 
Our review involved an assessment of the following risks: 


e The expected benefits and functionality to be derived from the 
successful implementation of the new finance system may not have 
been achieved; 

e The functionality of the new finance system may not include accurate 
and complete management information that is automated; 

e The ICO may not have undertaken a detailed lessons learned exercise 
following the conclusion of this project. 


Purther details on responsibilities, approach and scope are included in 
Appendix A. 
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1.3 Overall assessment 
We have made an overall assessment of our findings as: 


Further details of our findings and recommendations are provided in 
Section 2. 


Overall assessment 1.5 Basis of preparation 


We have identified matters which, if resolved, will help management fulfil We identified the following controls during our audit: 


their responsibility to maintain a robust system of internal control. 


e The finance system and reporting suite were successfully implemented 
in February 2015, delivering eight of the high level requirements. A 
further three will be delivered as part of a second phase of 
implementation which is currently under way; 


Please refer to Appendix B for further information regarding our overall 
assessment and audit finding ratings. 


We confirmed that delivery to date has; 


1.4 Key findings ° 
Risk / Process : | 


e Removed the need to export and manipulate financial 


Benefits and functionality 1 information within Excel Spreadsheets; 


achievement 


e Allowed posting of all departmental costs directly in the ledger 


Management Information s = - z 


Lessons Learned - - 1 p (and to the correct budgets); 


Total - 1 1 - e Integrated the sales invoicing process, allowing for a true aged 


debtor profile to be produced and managed in association with 
The following finding is assessed as Medium: the operational departments; 


e Reduced the resource required to manage individual budgets 


The initiation stage of the project was not begun with the completion 
and agreement of a formal initiation document. The deliverables set 
out in the project brief were not therefore developed into formal 
requirements which could be agreed or tracked during design, 
development or implementation. As a consequence of this, the 
deliverables reported upon in the closure documentation did not 
reconcile completely with those in the original brief. Two deliverables 
were not taken forward by the project nor detailed in the project 
closure document and one not originally included was added and 
implemented. For future projects, we would expect all benefits or 
requirements set out to be formally tracked by a project board. Any 
removed or added during the project lifecycle should be with the 
formal agreement of the Project Board and sponsor. 
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and produce monthly budgetary reports; 

e Allowed budget holders to examine budgetary headings to a 
level that identifies individual items and variances and insert 
commentary which may then be rolled up management account 
commentary; 

e Reduced the resource required to produce monthly and end of 
year management and financial accounts. 

A project brief document was completed prior to the project inception 
that documented the overall project objective and clear SMART 
deliverables; 

The project completed a formal closure document that details benefits 
and requirement delivery together with plans for the re-scoping of 
benefits not delivered as part of the implementation. 
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1.6 Elsewhere in the sector 

We detail below other ways of working and commonly occurring issues 
that we have experienced during similar types of reviews for other public 
bodies. The following does not necessarily purport to be good practice but 
is included for your information and consideration: 


e To manage key person dependencies and allowing finance teams to 
produce ad hoc reporting when required, other similar organisations 
will train both finance managers and finance team leaders in the use of 
reporting suites and reporting development software. 


1.7 Acknowledgement 
We would like to take this opportunity to thank the staff involved for their 
co-operation during this internal audit. 
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2 Detailed Findings 


2.1 
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Benefits and functionality derived from the implementation of the new finance system may not have been achieved 


d | Medium | Governance of the project 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


In scoping the implementation of the finance system, a 
project brief was developed by the project manager detailing 
fourteen high level deliverables, development and delivery 
timescales and the required personnel resource. 


The initiation stage of the project was not however begun 
with the completion and agreement of a formal initiation 
document. The deliverables set out in the project brief were 
not therefore developed into formal requirements, agreed or 
tracked during design, development or implementation. As a 
consequence of this, the project deliverables reported upon 
in the closure documentation did not reconcile completely 
with those in the original brief. Two deliverables (project 
accounting capability and sales order processing) were not 
taken forward by the project nor detailed in the project 
closure document and one (BACCESS-IP replacement via 
Paygate Online) not originally included was added and 
implemented. 


There is a risk that, by not formally agreeing and tracking 
requirements during the scoping and initiation phase, 
projects may suffer from scope creep (the addition or 
evolving of requirements during delivery), gaps in 
requirements or unforeseen requirement dependencies, 
ultimately impacting upon the quality of the final product or 
overall budget. 


The ICO should translate all benefits set out in 
project initiation documents into specific delivery 
requirements that should then be formally 
tracked by the project board. Any benefits or 
requirements that are not to be delivered should 
be removed in a controlled manner with the 
agreement from the Project Board and project 
sponsor. 


In addition, project closure documentation 
should clearly indicate the delivery status of 
each requirement or benefit set out in the 
original project brief or initiation document. If 
removed, the reason for removal/de-scoping and 
formal agreement should be documented. 


Our project management methodology (PM) 
requires the development of a Product Backlog 
to both articulate and track all project 
requirements and deliverables. Our PM 
methodology does not refer to a PID by name, 
but we agree the requirements that need to be 
tracked and are satisfied that we have the 
mechanisms in place (in the form of our Product 
Backlog and associated processes) to do that. It 
is recognised however that this was not done in 
this case. The recommendation is therefore 
agreed and no further action is required. 


Date Effective:23 November 2015 


Owner: Paul Arnold Head of Customer and 
Business Services 
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2.2 The ICO may not have undertaken a detailed lessons learned exercise following the conclusion of this project 


2. 


Post implementation and lessons learned 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


Following the implementation of the new finance system, the 
Project Manager completed a formal project closure 
document and an implementation review/lessons learned 
report. These documents detail the functionality that was 
implemented, the re-scoping of requirements not delivered 
and improvement discussion points relating to the ICO 
procurement process, IT observations, testing and data 
migration, support and project management. 


Neither the post implementation review nor closure 
document have documented the success of the project from 
the end user point of view. (i.e. whilst the system was 
delivered, does it deliver the functions it was expected to 
perform, do users find the application easy to use and is 
reporting easy to produce with the correct data?) , nor the 


ability of the project to deliver to budget and time constraints. 


In addition to this, although lessons learned are passed to 
the project team, project managers and project sponsors, 
there is no formal communication of improvement themes 
across teams. 


There is a risk that in not focussing on project successes, 
the effectiveness of the product delivery, or taking the 
opportunity share lessons right across the ICO, the 
department may not fully benefit from developments in good 
practice, develop skills across the organisation or prevent 
poor practice from being repeated in future projects. 


In addition to project management factors and 
technical requirements, future project closure 
reviews should also take into account how 
effective the project has been from an end user 
perspective and if the project delivered to time 
and cost. 


The ICO should also develop and integrate into 
the project management methodology a process 
for the communication of good practice, 
developing methodologies and lessons learned 
across individuals and teams involved in project 
delivery. 


We are satisfied that the positive outcomes from 
the finance project were understood by those 
involved and shared with all stakeholders and 
interested parties. We have however reviewed 
our lessons learnt process to ensure things are 
recorded more clearly. 


Date Effective: 23 November 2015 


Owner: Arnold Head of Customer and Business 
Services 
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A Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Internal Audit Standards (2013) and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). In addition, we comply in all material respects with other 
Government guidance applicable to Public Bodies and have had regard to 
the HM Treasury guidelines on effective risk management (the ‘Orange 
Book’). 


As part of the internal audit plan for 2015-16, we agreed with the Audit 
Committee and management that we should carry out a review of the 
delivery of the benefits realised from the implementation the ICO's new 
finance system. 


We achieved our audit objectives by: 


e Meeting with individuals responsible for setting, monitoring and 
implementing the new system; 


e Obtaining evidence to confirm the operation of understood controls; 
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e Meeting with a sample of individuals with responsibility for carrying 
out the implementation across the ICO to understand and test the 
processes operated in project management; 

e Meeting with a sample of budget holders to understand their 
experience of the system implementation process and their experience 
of the end product. 


The findings and conclusions from this review will support our annual 
opinion to the Audit Committee on the adequacy and effectiveness of 
internal control arrangements. 


Responsibilities 

The Information Commissioner acts through his Board of Management 
and the Information Commissioner's Office ("ICO") discharges his 
obligations. Therefore references to the Information Commissioner and 
the ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 
ICO has adequate and effective risk management, control and governance 
processes. 


HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
achieving its strategic objectives. The Board should therefore maintain 
sound risk management and internal control systems and should establish 
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formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 
Our review involved an assessment of the following risks: 


The expected benefits and functionality to be derived from the 
successful implementation of the new finance system may not have 
been achieved resulting in an inability of the finance system to support 
effective decision making and savings from greater efficiencies in and 
effectiveness of financial control and reporting; 

The functionality of the new finance system may not include accurate 
and complete management information that is automated resulting in 
financial management that is inefficient and ineffective in holding 
departmental heads to account for their areas’ financial performance; 
The ICO may not have undertaken a detailed lessons learned exercise 
following the conclusion of this project resulting in a failure to prevent 
poor practice from being repeated in future similar projects. 


Additional information 
Client staff 
The following staff were consulted as part of this review: 


Heather Dove (Head of Finance); 

Simon Wiseman (Project Manager); 

Andy Laing (Head of Performance Improvement); 
Louise Byers (Head of Good Practice); 

Michael Collins (Head of Organisation Development); 
Anne Jones (Deputy Commissioner Wales). 
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Documents received 
The following documents were received during the course of this audit: 


e Project Brief v0.2 

e Project plan 

e Project Closure document 

e Lessons Learned v1.2 

e Examples of financial reporting (for whole department and for 
business units) 

e Creditor and Debtor review (September 2015) 


Locations 
We visited The Information Commissioner's Office, Wilmslow for this 
review. 
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B Definition of overall assessment internal audit ratings 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


Rating Description Features 


Key control not designed or operating effectively 

Potential for fraud identified 

Non compliance with key procedures / standards 

Non compliance with regulation 

Impact is contained within the department and compensating 
controls would detect errors 

e Possibility for fraud exists 

e Control failures identified but not in key controls 

e Non compliance with procedures / standards (but not resulting in key 
control failure) 

Minor control weakness 

Minor non compliance with procedures / standards 
Information for department management 

Control operating but not necessarily in accordance with best 
practice 


Findings that are fundamental to the management of risk in the business 
area, representing a weakness in control that requires the immediate 
attention of management 


Important findings that are to be resolved by line management. 


Findings that identify non-compliance with established procedures. 


Items requiring no action but which may be of interest to management or 
best practice advice 
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